Thursday, July 16, 2009

New virus can update itself

Symantec: W95.Babylonia attacks. Exe and. Hlp files

Various anti-virus companies are facing a new pathogen warned himself to be able to update. "This is just the tip of the iceberg," said the adviser Eric Chien of Symantec, the appearance of "W95.Babylonia". "The virus writers are becoming more network-centric ideas to create new types of programs to write."

Previously known name for e-mail attachments with dangerous cargo are:

I-WATCH-U.EXE
BABILONIA.EXE
X-MAS.EXE
SURPRISE!. EXE
JESUS.EXE
BUHH.EXE
CHOCOLATE.EXE

Symantec has since the first appearance of Babylonia on 6 December 24 Virenbefälle counted (www.symantec.com/ ...), Computer Associates since 3 December 15th ELF KByte great program attacks. "Exe" - and ". Hlp" files from Windows 95, however, directed to no harm - not yet. The experts suggest that destructive variants of the language confusion not wait long to be.

The virus first appeared in a newsgroup on - disguised as a Windows Help file named "serialz.hlp" - before and gave a list of serial numbers for commercial software. If the file is opened, it copies itself into the kernel memory and opened a new, four large KByte file with the name "c: \ babylonia.exe". Then copied babylonia.exe to themselves as "KERNEL32.EXE" in the Windows system directory and copy these lists "Software \ Microsoft \ Windows \ CurrentVersion \ Run".

In the result, the program at each program launch itself. It looks at the kind of application "RNAAPP.EXE" in Windows 9x in the online mode is active. If the program is successful, it provides a link to a site of a Japanese hacker ago. From there it loads a text file named "virus.txt" down. This lists the name of "dropper.dat", "greetz.dat", "ircworm.dat" and "poll.dat" on. They use a special format with a header, with "vmode" begins. Vmode stands for "Virus modules.

Finally, the four active loaded files and send the message, among other things "Quando o mestre chegara?" to the address babylonia_counter@hotmail.com. This serves the author about the number of infected computers to determine. About MIRC spreading the virus further.

The author of "Vecna" is, according to Symantec belongs to the Latin American group of virus writers known as 29A.

Users can be infected by the entry "W95/Babylonia by Vecna (c) 1999" in c: \ autoexec.bat noted. An update of the anti-virus software should protect against infe
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)